22 Jul
2024
22 Jul
'24
8:53 p.m.
On 22/07/2024 19:14 EEST Yassine Chaouche via dovecot <dovecot@dovecot.org> wrote:
Dear list,
look at this grep auth-worker | nl output from my dovecot log :
166 Jul 22 15:49:47 auth-worker(24409): Info: sql(hakim.boukhadra@domain.tld): unknown user 167 Jul 22 15:49:47 auth-worker(13026): Info: sql(prtg@domain.tld): unknown user 168 Jul 22 15:53:00 auth-worker(13026): Info: sql(feriel.abbas@domain.tld,10.10.10.19): Password mismatch 169 Jul 22 15:53:15 auth-worker(13026): Info: sql(feriel.abbas@domain.tld,10.10.10.19): Password mismatch 170 Jul 22 15:55:26 auth-worker(13026): Info: sql(it_sys@domain.tld): unknown user 171 Jul 22 15:59:30 auth-worker(13026): Info: sql(radioaintemouchent.domain.tld,10.10.10.19): unknown user 172 Jul 22 15:59:43 auth-worker(13026): Info: sql(mouadoussama@radioalgerie.dz): unknown user 173 Jul 22 16:00:38 auth-worker(13026): Info: sql(it_mam@domain.tld): unknown user 174 Jul 22 16:00:58 auth-worker(13026): Info: sql(it_mam@domain.tld): unknown user 175 Jul 22 16:02:01 auth-worker(13026): Info: sql(it_mam@domain.tld): unknown user 176 Jul 22 16:09:35 auth-worker(13026): Info: sql(it_mam@domain.tld): unknown user 177 Jul 22 16:09:42 auth-worker(13026): Info: sql(prtg@domain.tld): unknown user 178 Jul 22 16:10:11 auth-worker(13026): Info: sql(it_mam@domain.tld): unknown user 179 Jul 22 16:15:37 auth-worker(13026): Info: sql(it_sys@domain.tld): unknown user 180 Jul 22 16:26:55 auth-worker(13026): Info: sql(it_mam@domain.tld): unknown user 181 Jul 22 16:32:01 auth-worker(13026): Info: sql(it_mam@domain.tld): unknown user 182 Jul 22 16:35:37 auth-worker(19555): Info: sql(it_sys@domain.tld): unknown user
As you can see, sometimes the IP addresses of the dubious login attempts are noted, other times this crucial piece of evidence is conspicuously absent.
I am wondering what is the source of all those login attempts? or could those be mere username lookups instead to test for mail deliverability?
Many thanks,
-- yassine -- sysadm
You would probably want to use the new event based system for these logs:
event_exporter log { format = json format_args = time-rfc3339 transport = log }
metric auth_failed { event=filter=auth_request_finished and not success=yes exporter=log }
Aki